Bureau 121: North Korea’s Military Hackers

In the Moonshin-dong area of North Korean capital Pyongyang, near the weaving Taedong River, is where researchers believe Bureau 121’s headquarters can be found.

Video Discussion of North Korea’s Cyber Attack Capability

Another Video Discussion of North Korea’s Bureau 121

Understood to be Pyongyang’s cyber-attack elite unit, Bureau 121 is staffed by the best and brightest – although its exact size is not known.

But in an isolated nation with dismally poor infrastructure, cyber operations are almost certainly orchestrated from outside the country.

Just over the border into China is where researchers think a key Bureau 121 outpost can be found, in Shenyang, the capital of Liaoning Province.

Remarkable analysis from computer firm HP pinpointed attacks emanating from the basement of a restaurant – attached to a hotel – described by one enthusiastic reviewer on Trip Advisor as being “immaculately clean with tasteful touches of North Korean tapestries and pillows”.

As you might expect, another said it had “great internet”.

Digital paper trail

Evidence of what exactly North Korean hackers have done – or could do – is extremely hard to come by.

Researchers have to rely on analysing digital paper trails to determine patterns of behaviour. Bureau 121, for instance, is said to routinely use a particularly recognisable strand of malicious code designed to cover its tracks.

But several researchers have cast doubt on some of the accusations pointed at Pyongyang. None more so than the hack on Sony Pictures last year, which US intelligence aimed squarely at North Korea, but which Pyongyang denies and others have said could easily have been carried out by another sophisticated group simply emulating Bureau 121’s style.

He gave several Bureau 121 members their first taste of computer science while teaching at Hamheung Computer Technology University – designed to bring computing expertise directly into the North Korean military.

Prof Kim told us that in his 23 years there, while he didn’t teach hacking techniques, he gave the students knowledge of the ins and outs of computing, networks and data transfer.

Image copyrightGetty ImagesImage caption The US has emphatically blamed North Korea for hacks on Sony Pictures – but some question the evidence

The very best students were later plucked from his course by the military and given further, more specialist training in cyber security. The hackers-in-waiting would usually be sent to China, or in some cases to Japan or Europe.

Those selected to join the unit live privileged lives in North Korea, as do their families.

Prof Kim told the BBC he feels saddened that some of the great, “bright” minds he nurtured had their potential channelled “not into improving our internet culture, but to terrorise other people using the internet”.

But he conceded that his former students probably enjoyed their task, and took pride in “accomplishing Kim Jong-un’s orders as a cyber warrior”.

South Korean targets

So who are those targets?

While questions remain over who was behind last year’s Sony Pictures hack, an earlier hack in 2013 points more strongly to North Korea. Three South Korean broadcasters, and a bank, suffered from a complete seizing up of their computers, locking out employees. According to the Wall Street Journal, the hackers had help from a high-ranking technology executive based in the South.

Image copyrightGetty ImagesImage caption Staff at South Korea’s Hydro and Nuclear Power Company were targeted by a hack this year

Analysis of the attack revealed a strand of malicious code since dubbed DarkSeoul. A similar technique was observed when researchers investigated the Sony Pictures hack just over a year later.

Prof Kim told me that Bureau 121 is looking to emulate Stuxnet, an attack on Iran, reportedly originating from the US and Israel, that was successful in damaging nuclear centrifuges.

Doing so would be a major escalation in North Korea’s capability – moving from attacking computer networks to instead harming infrastructure.

Mobile hack

But it’s not just the state doing the hacking in North Korea.

In the West we like to think of the country as wrapped up in its own delusion, spurred on by often comical images of leader Kim Jong-un smiling and pointing in situations which, on the face of it, seem primitive.

This mockery is most evident when it comes to technology, thanks in part to widely circulated pictures of Kim Jong-un looking at laughably huge boxes of computer equipment.

But that’s not to say the country is completely isolated. While in South Korea recently, our driver – who I’ll not name to protect the safety of his family still in North Korea – received a brief call from over the border.

Image caption Our driver takes a call from someone within North Korea

The woman on the line gave us an update on the situation there. The trains where she lived were working, she was pleased to report, but the same couldn’t be said about her home’s heating.

What was interesting about the call was the ingenuity with which it was made.

There is a mobile network in North Korea, called Koryolink, run by an Egyptian telecoms firm. But, crucially, it is locked down – you can only call others in the same country.

Near the border with China, however, smuggled phones provide a way out. Chinese mobile networks leak a few miles into North Korea, allowing international calls to be made.

But that doesn’t help those far from the borders – and so people on the borders have begun, for a fee, taking calls via the North Korean network from those deeper in the country – and then patching an international call together by holding the Korean phone up against the Chinese one.

A great hack, in the purest sense, and one Kim Jong-un can’t do a great deal about.